Debian Security Advisory

DSA-1470-1 horde3 -- missing input sanitising

Ulf Härnhammar discovered that the HTML filter of the Horde web
application framework performed insufficient input sanitising, which
may lead to the deletion of emails if a user is tricked into viewing
a malformed email inside the Imp client.

This update also provides backported bugfixes to the cross-site
scripting filter and the user management API from the latest Horde
release 3.1.6.

The old stable distribution (sarge) is not affected. An update to
Etch is recommended, though.

For the stable distribution (etch), this problem has been fixed in
version 3.1.3-4etch2.